 have you ever thought about, as a developer, either hardware or software, how your products can be used or abused? What about the dual use tools? They can be used for findings, stuff like your phone or your bag, but they can also be used for tracking people. Here with me on stage to talk all about this is, and I would like to ask you to welcome a very, very, very warm round of applause, is Chantal with It's Not Just Stock Aware. Thank you. I'm going to start this off with saying I'm fucking nervous. So if I fuck this up, I have stickers with me to make it up to you. And then I also have a trigger warning because I am going to be talking about stocking. So if you're not comfortable with this topic, don't worry, that's okay. I will give you a little bit of time to opt out. But I think we're all good, right? Then I'm going to continue. Has any one of you ever been stalked by an AirTag? Yes, a couple. And who of you have been stalked by an AirTag? By me. Yes. If you were not in this last group, I'm really sorry, that really sucks. And feel free to come talk to me after this presentation. But I am Chantal Stegenberg, and sometimes I stalk people with AirTags for science. Apple released the AirTag in April of 2021. This is an AirTag, you probably can see it, but there's a good picture here. And very quickly after that, there were a lot of concerns. And even reports of stalking with AirTags. It seems they didn't really think about how an AirTag could be used for stalking. But we're now a year later, and they have released multiple security improvements for the AirTag. iPhone users, they get a notification if they're being followed by an AirTag that is not yours. And the thing should also beep when it's not in the vicinity of its owner. But Android users have to install a separate app to scan for AirTags. And still the same thing with the beeping, it will also happen after some time. It's away from the owner's phone. But I was kind of curious. And I wanted to know if I could actually stalk people with an AirTag. So I sat all my male colleagues down and some friends. And I asked them if I could actually stalk them. And a lot of them said yes. So I wanted to see if they get a notification and if it would start beeping. And I also wanted to know if you could hear the beeping. And it turns out that if you have an iPhone, the notification that you are being followed by an AirTag, it works. It shows up within the hour. Yeah, already a little bit of time to follow you, but reasonable. But without an iPhone, how would they know? Because who is going to use this very specific app to scan for AirTags multiple times today to see if you're being followed? I don't think a lot of people do that. And not once in my experiments did it actually start beeping. But if it would, it would be very easy to disable that beforehand. And you can even buy them with the sound disabled. It's big business because this is way more money than the original AirTag. So Apple made a very affordable tracker or stalking device. But they are not the only one. There's the Samsung SmartTag, the AirTag, and you have Tile. This is a SmartTag. And many, many more. But actually, that is a very small portion of what you or I, as a potential stalking victim, would have to worry about. Last week on Twitter, I asked my followers, what do you think that stalkerware is? And it seems that we have a pretty good idea of what that is. So software used to track what someone does with a device or what the location is without them knowing, of course. Or all hard and software that collects data to track you online and or in real life without your consent. Spyware installed with the intention of one individual to gather data, such as location of another covertly. And yeah, that all is stalkerware. From September 2022, May 2021, the number of devices infected with stalkerware increased by 63%. And this is according to a study by Nordall Labs. And they actually saw an upward trend in stalkerware as people went into lockdown. Many people were first forced to spend more time at home. And this likely created more opportunities for perpetrators to actually install stalkerware on their partner's device. And as lockdown subsided, it seems as though stalkerware installation has ceased to increase, but it's still at very high levels. Fortunately, there are also some great initiatives to help and fight stalkerware. The coalition against stalkerware actually got a lot of the biggest antivirus companies to detect stalkerware and alert users. Almost anyone can become a victim of stalking. Stalkers do not just target celebrities. Sometimes they are ex-partners, and they are known to the victim. But it could also be an acquaintance or just a simple stranger. And with stalkerware, the perpetrator needs access to the device. Or they need to persuade the victim to install something on the device. And in cases where the stalker is an ex-partner or current partner, that is doable. But in other cases, it is way easier to gain access to the account of the victim. Gather information about the victim on social media or use those tracking devices. Tech companies, they develop new apps and gadgets, seemingly without thinking about other ways they can be used. And the air tech was a very good example of that. So you might be wondering why and how I got interested in this topic. It's a little bit of a journey. Six years ago, I started working at Xerocopter in marketing. But I was so fascinated by all the vulnerabilities our researchers were finding that I needed to know how that all worked. And I started learning how to hack. And today, I am head of researchers at Xerocopter, and I got to meet so many great people in security. And one of them was Valentin Marrette. We were visitors at a conference, and we noticed that we were amongst the very few women there. So in 2019, we founded WCA, Women in Cybersecurity Community Association. And next to the also meetups we organized with WCA. We have one tonight, even. So if you want to join, please come. And there was also something that happened that we did not think of when we started WCA. And victims of stalking, they trusted us enough to ask us for help. Most of them were women, and they wanted to be helped by women. And they didn't know where to go. There is so little out there to get help. They needed help. They needed help with gathering evidence to go to the police. They needed help with making sure the stalker no longer had access to their device, the phone, or the laptop. And they also often want reassurance. So they need help with checking if someone no longer has access, if that's actually all done. They want to reassurance. And we started doing that, and we still do. And this was also one of the reasons why I became a volunteer for the Dutch police. And I started working on stalker cases for the Dutch police as well, and especially if it involves something digital. But in all of those cases in the past few years, I personally never encountered a case involving an air tag or Samsung Galaxy tag or a towel, not yet. It's very hot topic in the media. It's very cool to write articles about it. But this is not what happens in most cases. It usually goes a little something like this. This is a very anonymized, generic story. But Emily, that's our victim, she gets an email from a social media platform that there was a login from a different location. But yeah, she gets those emails more often, and she dismisses it. But a day later, she opened the app, and she had to log in again. And she thought, yeah, a little bit strange, but oh well. Later that week, she gets a text message from her ex, and he is asking if she had fun in Amsterdam. But she was thinking, how does he know? Did I post something about this? I can't remember that. I only talked about this to my friend in a DM. This is weird. So she asked her ex how he knows, but yeah, he's not giving straight answers. He's being vague about it. So yeah, she thought maybe that email was something. I should change my password. But she already has a really uneasy feeling. And yeah, she changes her password, but she's not sure about it. A month later, her ex is at her apartment because they recently broke up, and she still had some stuff from him, so he needed to pick it up. But that's not the only thing he did. He was also fighting with her. He's not happy with the breakup. He wants her back. He is angry at her, and she has to work really hard to get him to leave. But he's also very upset that she apparently moved on with her life. And he's giving all kinds of examples. But after the message from last month, she barely posted anything on social media because she already had an uneasy feeling. So why does he think that she has moved on? And how does he know all this stuff? In the days after, this more and more starts happening. On a different social media platform, she can't seem to find some of the messages that were sent to her. And she also unfollowed some people all of the sudden. She gets many of these emails from various services that the logging was from an unknown location. And yeah, she keeps changing the passwords, but it doesn't really stop. Then one day, she gets a message from a friend. Hey, is this you? And there's a screenshot of a dating site profile. And she replies, no. Where did you find this? And then he decides to explain this to her on a phone call. He explains where he found the dating site profile. But the text in the bio is a little bit strange. So that's why he decided to contact her. He goes on to tell Emily that the profile is asking for explicit sex acts. And that if someone messages the profile, they can get some nudes and an address. And this is where I'm going to stop, because I think we can all imagine that this is a very frightening situation. And it leaves you with a lot of questions. But where do you start with finding help if you don't know what's going on? And I'm sure many of you already have a checklist in your head of things to check, things to do, things to turn on. But most people don't understand what is going on. And they don't have this checklist. So for many victims, this feels very lonely, and they feel a lot of shame. They are constantly afraid of what is going to happen next. And then they also have to go on this big search to get help, because what do you Google? Some of them they end up with the police, but the police are dependent on the evidence that they can get. And to get evidence that someone has access to your accounts is not always easy. Victims, they change their passwords to try and fix it. They reinstall their phones or laptops. They even buy new phones and laptops to make sure that no one can get in. So not all evidence can be gathered anymore. And this makes that these cases are pretty hard. And what I have experienced in all of those cases is that the victims really don't know where to turn to. And yeah, this is where I think I and us, you, we can all help. Stocking victims are upset. They are frightened. And they really don't feel safe. But can we help them feel safe and stay safe? I know that in this tent, we probably all understand strong, unique passwords and multi-factor authentication. And that would have prevented a lot for Emily. So if you have something, someone you know that doesn't understand this as well as you do, please help them. Help them understand what they can prevent by setting this all up. That's it. Thank you. Thank you very much. We do have time for questions and answers if you are up to it. OK, great. Unfortunately, no questions from the internet. So anyone in the audience, any questions, comments? Come up to the microphone, please, in the middle. There are two microphones in the middle. Walk up to them. And I will call you. Yes, just walk towards and close to the mic. Yes, exactly like that. Yeah, OK. So just a question. Well, first of all, super interesting thanks for your presentation. The case was very interesting on seeing what happens. But I'm a bit curious if there's anything you can share after that happens. Like for example, in this case, Emily, we know, yeah, all the compromise and whatever. Did you just go and do the research in depth, try to get back to the person, eventually, to the police? Or do you actually just go and try to fix it, patch it? I don't know what. Yeah, in most cases, we either try to, they come after they've been to the police, they come to us to, they want to make sure that no one is in there anymore. So and then we help them go through every checklist and set everything up. So yeah, with multi-factor authentication, strong, unique passwords. But in some cases, they have also been to the police and they say there's not enough evidence. And in that case, we do try to help gather that evidence. And that is a long process. Sometimes it can take up to months or even years. But we try to gather evidence, document everything that is happening, make screenshots, yeah, try to gather everything so that, yeah, they have a little bit more evidence and then maybe the police can go after someone. Sometimes it's also not known who the perpetrator is. And in that case, it's very difficult. But in most cases, the victim already has a hunch. They already know of someone that might do this. And in my experience, it's usually that person. Yeah. Thank you. Next question, please. Yep. Let's first say a question, more like a comment. Like during the telling of the story of Emily, I felt like I just wanted to punch that guy in the face. Yeah, me too. Yeah. It's just so fucked up that this kind of stuff happens. Yeah, and that is really something I learned in the past couple of years is that this has such an emotional impact on victims. That sometimes they get so paranoid that, yeah, they can't even leave their house. So yeah, it's a lot of impact. Yeah. Yeah, just this way too much. There must be ways this should be regulated and like there should be some kind of education. So people will, so people can go through their phones and check for like malicious apps or like an organization that's like... A lot of antivirus companies now have this detection in their antivirus. So if you install this on your phone, they actually scan for stalkerware and they alert you. So I think that's a really good thing. But it sounds like you want to help. Yeah, I definitely want to help. Let's do it. Sure. Cool. Cheers. Thanks for the talk. Just wondering if anyone, say for someone came to me and said, hey, I think I might be a victim of stalkerware. Do you have any advice on where that person should go? You mentioned obviously Wicca and stuff like that and you seem to be helping people already. Is there resources that I can push them towards? Like here's a checklist. If you're feeling uncomfortable talking to people or these people you can go to, are there any kind of like... You mentioned the police already. Do they have a way you talk to them? Yeah, that's a little bit of the problem I think. So for stalkerware software that's actually installed on your phone or your laptop or anything, there is some like detection for that. So but then, yeah, in the case of that, someone is in your account, for example, Facebook, iCloud, I don't know. That's something completely different. And then you have the air techs, you have plenty more variations. There's not one single point you can go to, except for the police. And then, yeah, they need evidence. So that's difficult. So that's why I'm indeed, I'm asking for help because I don't have all the sources also. But I think we can improve a lot in that. And we can help victims to point them in the right direction. Cheers. Do you have any checklists or warning signs for people to look out for, for other people? An example for me would be account sharing. And like, oh yeah, he knows my password. That's a big red light. I admit that I don't also have an entire database that I already publicly shared. I do have some stuff and I'm going to share that. But usually it's like all different kinds of lists that I send to people. But it's also like these people are not as tech-savvy as we are. So it helps if you walk them through it. More what I mean is like for the technical person, for things to look out for. Oh yeah. Personally it would be like, hey, I have a friend and she shares her email account with her boyfriend. Yeah. I would recommend not doing that. Coming up, yes. Awesome, thanks. Please come up closely to the microphone. Thanks, thank you. Thank you. That was a great talk. The coalition against stalkerware. Is that something one can get involved with from different countries and stuff like that? I think so. I don't. You go. Should we build our own? No, yeah, no. I think the coalition against stalkerware is very, so they got antivirus companies to work together and to detect stalkerware. So that is one thing they done, but they've done a lot more stuff. And this is international, so yeah, definitely, yeah. And also yesterday by chance, one of my friends who has all the Apple products and the FindMyAnything turned on got a notification that someone with AirPods might be following that. Yeah, AirPods can be used as well, yeah. But working backwards, someone with, and then you could see where the AirPods had been, also places where he hadn't been. Yeah. So the anti-stalker function could be used to stalk, for instance, your partner. Yeah. Their AirPods will often be near you. Yes. And they gave more information that was needed. Yeah, I know, yeah. It's not perfect, no, not at all. Thank you for all the wonderful questions. Are there any questions from the internet? No. Any more questions from the audience? Last call? If not, where can people find you if they've heard a question apart from online, somewhere around here at the bottom? Yeah, I know, I'm here all the days. So, yeah, the zero-cups are dead. Well, everyone in the room, please give another very warm round of applause for Shontal, thank you very much.